mac80211/wpa: use constant time memory comparison for MACs
Otherwise, we enable all sorts of forgeries via timing attack. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Cc: Johannes Berg <johannes@sipsolutions.net> Cc: linux-wireless@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
parent
c87905bec5
commit
98c67d187d
1 changed files with 5 additions and 4 deletions
|
@ -17,6 +17,7 @@
|
|||
#include <asm/unaligned.h>
|
||||
#include <net/mac80211.h>
|
||||
#include <crypto/aes.h>
|
||||
#include <crypto/algapi.h>
|
||||
|
||||
#include "ieee80211_i.h"
|
||||
#include "michael.h"
|
||||
|
@ -153,7 +154,7 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
|
|||
data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
|
||||
key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
|
||||
michael_mic(key, hdr, data, data_len, mic);
|
||||
if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
|
||||
if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN))
|
||||
goto mic_fail;
|
||||
|
||||
/* remove Michael MIC from payload */
|
||||
|
@ -1048,7 +1049,7 @@ ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
|
|||
bip_aad(skb, aad);
|
||||
ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
|
||||
skb->data + 24, skb->len - 24, mic);
|
||||
if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
|
||||
if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
|
||||
key->u.aes_cmac.icverrors++;
|
||||
return RX_DROP_UNUSABLE;
|
||||
}
|
||||
|
@ -1098,7 +1099,7 @@ ieee80211_crypto_aes_cmac_256_decrypt(struct ieee80211_rx_data *rx)
|
|||
bip_aad(skb, aad);
|
||||
ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
|
||||
skb->data + 24, skb->len - 24, mic);
|
||||
if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
|
||||
if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
|
||||
key->u.aes_cmac.icverrors++;
|
||||
return RX_DROP_UNUSABLE;
|
||||
}
|
||||
|
@ -1202,7 +1203,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
|
|||
if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
|
||||
skb->data + 24, skb->len - 24,
|
||||
mic) < 0 ||
|
||||
memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
|
||||
crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
|
||||
key->u.aes_gmac.icverrors++;
|
||||
return RX_DROP_UNUSABLE;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue